This year's top six cyber risks for businesses, according to TheChertoff Group principal Adam Isles, include: An increase indestructive attacks targeting industrial control systems, theexpansion of IoT as a threat vector, the evolution in nation-stateactivity tradecraft, advances in identity subversion as a tactic,an increased use of software subversion to bypass security controlsand an increase in third-party risk.

Every four years, the U.S. intelligence community releases aGlobal Trends Report, and the one released in January 2017 citeddestruction of important civilian infrastructure as an increasinglylikely form of emerging warfare.

The rise in attacks targeting industrial control systems can beattributed to factors including the relative ease at brute forcingdefault or weak passwords on ICS equipment, an increase of thenumber of ICS accessible to the public and an uptick in motivationby malicious actors to control ICS for political influence ormonetary gain.

New Opportunities to Exploit Devices

“Threat is a function of motivation, capability andopportunity,” Isles said. “2018 is expected to bring additionaladvances particularly regarding autonomous/artificialintelligence-enabled systems and their use in both private andprofessional settings. As this trend advances, so too does theopportunity to exploit such devices for malicious purposes.”

In the last few years, many cyberattacks were seen using IoTdevices like CCTV cameras in large-scale DDoS attacks, including anOctober 2016 attack that disrupted internet services throughout theU.S. for almost a full day. These attacks highlight large-scalechallenges in ensuring that IoT devices are properly configured toprevent a compromise of those devices.

Even if U.S. authorities were to introduce legislation forproducers to lock down IoT vulnerabilities, the threat from exposeddevices from other countries does not diminish, per Isles.

Organized Crime

“Where malicious activity can be attributed to state actors,U.S. authorities have worked with allied governments to takeresponsive action — for example, sanctions and criminal indictmentsplus related cooperation through extradition and mutual legalassistance treaties,” he explained. “So, the ability to act withoutthe attendant consequences of attribution will be of increasingutility to threat actors. In that vein, state actors areincreasingly relying on capabilities — people and technology — withroots in organized crime.”

Per the 2017 indictment of individuals allegedly involved in theYahoo breach, including officers of Russia's Federal SecurityBureau: “One of the criminal hackers has been the subject of anInterpol 'Red Notice' and was listed as one of the FBI's 'MostWanted' hackers since 2012. He resides in Russia, within the FSB'sjurisdiction to arrest and prosecute. Rather than arrest him,however, the FSB officers used him.”

In addition, while state actors have access to zero-dayexploits, the state of unremediated vulnerabilities makes it morelikely they will use recycled malware and hacking tactics tominimize the chances of attribution. The security vulnerabilitiesof passwords are well-covered in security literature, and we arenow seeing significant consequences of compromised passwords via“credential stuffing” attacks, which involve automated machine-gunstyle access attempts via compromised username/password pairs.

So, according to Isles, understanding these risks, organizationsare increasingly shifting to the use of multi-factor authenticationto reduce risks around single-factor approaches.

Three Trends

We should expect to see increased reporting across three trends,according to Isles:

• Newly discovered vulnerabilities in multi-factor approachesbased on increased focus by security researchers.

• Exploitation of unremediated vulnerabilities by maliciousactors.

• Resorting to social engineering to subvert the identity-proofingprocess that underlies multifactor authentication.

There is a flaw in the technology underlying token-basedauthentication systems — they use public key infrastructure tomaintain confidentiality of the supporting keys. This flaw,discovered in the chip underlying the tokens in question,effectively means that it takes much less time than previouslythought for a malicious actor to reverse engineer the private keyfrom its public counterpart, per Isles.

The consequence is that attacks are more feasible againstsystems protected by those tokens. In this case, the securityresearchers who identified the vulnerability worked with theimpacted token providers, who themselves aided customers inremediating the vulnerability.

Compromise of Text Messages

“Likewise, there is an increase in threat reporting around thecompromise of text messages that provide one-time passcodes as asecond factor,” he said. “In turn, there is also an increase inreporting around social engineering schemes that trick customersupport centers into updating the mobile phones associated with anaccount from the legitimate account holders to that of a maliciousactor.”

As seen during the 2017 NotPetya and other incidents,adversaries are using third-party software as an entry vector todeploy malware on targeted systems. Security controls were bypassedthrough the subversion of trusted third-party software, somalicious actors could infiltrate at the source of a supply chain,compromise the third-party software in question, and leverage thiscompromise to inject malware into victim computer systems, whichthen spread laterally through those systems. Maersk ported animpact of over $300 million, as did pharmaceutical providerMerck.

“In 2018, we expect to see a greater emphasis on review andsecuring all phases of the software development lifecycle, not onlytesting before release but also during the planning, developmentand update phases as well,” Isles explained.

Focus on Misconfigurations and CloudServices

Allowing partner organizations access to sensitive data andsystems can help a company focus on what it does best rather thanthe extraneous support functions. But the risks from the trend havemultiplied as organizations have increasingly offloaded specializedservices to others, in particular, cloud service providers.

Uber CEO Dara Khosrowshahi said, “External attackersinappropriately accessed user data stored on a third-partycloud-based service that we use to gain unauthorized access to thisinformation. While this compromise did not breach our corporatesystems or infrastructure, it did result in the compromise ofpersonal information for 57 million Uber customers around theworld.”

Isles added, “Even cloud services that have strong securitybuilt in can entail vulnerabilities if customers do not properlyconfigure and maintain them. Thus, we expect more focus in 2018 onservices that can help customers spot misconfigurations and riskylevels of access on cloud services.”